Security & privacy

Your source code is never written to our disk in plaintext. A short-lived worker clones, scans, encrypts the feature map with AES-256-GCM, then wipes itself — we hold ciphertext and a wrapped key, and the master key never leaves AWS KMS.

Privacy modes

Same data-flow shape, three visibility windows. Pick once at the org level; move along the scale as your compliance bar rises.

Standard

All tiers · default

Dynvo seesFeature & flow names, the file-path index, metrics, and runtime counts from Sentry / PostHog.

EncryptedLine ranges, narrative descriptions, symbol attribution, dependency graphs — encrypted at rest with a per-org key.

Best forMost SaaS teams

Private

Scale & above · CMK · coming soon

Dynvo seesOnly opaque UUIDs, aggregate counts, and commit timestamps.

EncryptedFeature & flow names, file paths, and everything from Standard — encrypted with your key. PR comments render on your CI runner.

Best forFintech · healthcare · sensitive code

Sovereign

Enterprise · self-hosted

Dynvo seesA periodic license-check ping — nothing else.

EncryptedEverything. Engine, dashboard, and Postgres run as a Docker image entirely inside your VPC. Air-gapped supported.

Best forBanks · defense · regulated industries

Encryption architecture

Envelope encryption with per-org keys: a per-scan data key encrypts the feature map, and that key is wrapped by your org's KMS master key, bound to {org, scan} so it's useless outside its scope. Customer-Managed Keys (Scale & Enterprise) let you revoke our decrypt access at any moment. Runtime data stays aggregate — counts and event IDs, never request bodies or PII.